Investors usually compare two stocks because they’re holding one or thinking about it. Usually, the stocks in question have some obvious relationship. You wouldn’t try to compare Protolabs to Proctor and Gamble (P&G) because the two firms have nothing in common. However, you might compare P&G to IBM because they’re both dividend growth stocks. You might compare Xometry to Protolabs because the two firms are competitors. So, if we’re going to compare CrowdStrike (CRWD) to Zscaler (ZS), we first want to know how these two firms are related.
Both CrowdStrike and Zscaler are cybersecurity companies that share the same industry and sector Gglobal INndustry Classification pdentary (GICS) which means they will have performance profiles that are positively correlated – that is, they will rise and fall in unison. But to truly compare these firms, we need to know what exactly they do.
CrowdStrike vs Zscaler
The cybersecurity domain is riddled with buzzwords and terminology that changes constantly as Big Four consultants try to make themselves look smarter. Let’s start with what’s advertised on the tin:
- Zscaler: The zero trust leader
- CrowdStrike: Cloud-native platform for protecting endpoints
Let’s deal with the terminology first. The phrase “zero trust” rings a bell because we spoke very favorably about the concept when we looked at Okta (OCT), a cybersecurity firm that could also be the subject of a future comparison article. The term “endpoint” refers to any device that connects to a corporate network. CrowdStrike ensures that no corporate devices get spear-phished or infected with a virus that acts maliciously. The artificial intelligence component ensures zero-day capabilities where software sensors can detect new forms of attacks without having prior knowledge of them. Back in the day, antivirus software programs used to be updated with “signatures” that would be created once new threats were identified. With CrowdStrike, that happens in real time thanks to artificial intelligence. It’s why we first started covering the firm back in our 2017 piece on Cybersecurity Startup CrowdStrike Joins Unicorn Club.
To paraphrase what these companies do:
- Zscaler: Controls access to things
- CrowdStrike: Protects devices from being attacked by malicious software or actors
If these two companies operate in entirely different domains, then companies might adopt both solutions and run them concurrently. Indeed they do, and a 2020 blog post by CrowdStrike talks about how they further deepened their working relationship with Zscaler by providing “a holistic cybersecurity approach for organizations.” Both companies talk about nearly the same total addressable market (TAME) of around $70 billion which means neither have managed to capture more than 4% market share of their respective markets. Of course, they’ll have to compete with some large firms that won’t roll over easily. CrowdStrike competes directly with Microsoft (69X their size), while Zscaler competes against big names like Palo Alto Networks and Cisco.
The Gartner Magic Quadrant seen above describes a domain called “Security Service Edge” which is a new term their MBAs came up with late last year. From the horse’s mouth:
With SSE, Gartner extracts the security portion of its SASE architecture into its own taxonomy and research area, creating a separate market segment. SSE is a cloud-centric security platform, most often offered by a single vendor, that consolidates multiple security capabilities including SWG, ZTNA, cloud access security broker (CASB), data protection, remote browser isolation (RBI), and firewall as a service (FWaaS)
Sounds like a bad case of TMA. If you want to go down that rabbit hole, here’s a blog piece by the creator of the term. For the average retail investor, we can avoid the jargon and conclude that these firms are very similar, yet don’t compete directly. Both companies:
- Have leadership positions in their respective fields
- Offer a cybersecurity solution with about the same sized opportunity ~$70 billion
- Realize juicy gross margins around 80%
- Have net retention rates in the low-to-mid 120s
- Sell to at least 25% of the Global 2000 and 40% of the Fortune 500
- Sell internationally – ZS (49% USA) / CRWD (69% USA)
- Are found in three of the four largest cybersecurity ETFs
They’re also valued relatively the same.
Valuations and Growth
Our recent piece on CrowdStrike Stock – What’s a Fair Valuation? talked about how the company was more likely to let down investors than excite them come earnings time. Sure enough, shares dumped nearly 20% because of weak guidance for Q4-2023. This quarter they beat guidance which wasn’t good enough for Wall Street’s lofty expectations. As one analyst remarked, “a 1% beat is pretty low.” (Roll’s eyes.) This is all short-term noise and an opportunity to add some CRWD shares at a valuation lower than we’ve seen historically. As for Zscaler, they’re trading at the same simple valuation ratio Crowdstrike was trading at before the drop.
19.25 / (4 X .318) = 15
27.46 / (4 X 581) = 12
These companies shared the same valuation ratio prior to CrowdStrike’s recent correction, so this comparison isn’t of much use. Similarly, the market caps aren’t that far off, so investing in CrowdStrike because it’s a “bigger company” isn’t a very compelling argument. Sure, CrowdStrike is one of the three biggest cybersecurity companies out there, but Zscaler isn’t that far behind, and they could even surpass Crowdstrike if they’re growing fast enough. Looking at 18 quarterly revenue numbers we see CrowdStrike growing just a small bit faster than Zscaler.
Above you can see where they started out neck and neck until CrowdStrike emerged as a leader. Over time, CrowdStrike’s revenues have only enjoyed a marginally higher compound annual growth rate (CAGR) as Zscaler.
CrowdStrike or Zscaler?
We weren’t expecting these two cybersecurity companies to have so many similarities. Deciding the “best” firm to invest in will come down to personal preference. We were initially attracted to Cybersecurity’s use of artificial intelligence, but that’s becoming less of a competitive advantage. Nowadays, companies need to be using AI-enabled solutions or they won’t be able to keep up with competitors.
CrowdStrike’s modular approach to selling cybersecurity solutions stands out from Zscaler along with their investment deck which provides a much cleaner picture of what they’re up to along with key SaaS metrics like gross retention plotted over time. If we had to choose between the two, we’d go with CrowdStrike, and we actually did. When shares corrected after their recent earnings letdown, we added a second cybersecurity stock to our tech stock portfolio.
When comparing two stocks, we always start by looking at their competitive positioning. CrowdStrike and Zscaler don’t appear to be competing with each other, but a single M&A event can change that. Private equity firms have been scooping up cybersecurity companies like KnowBe4 and ForgeRock which implies this niche is reasonably valued and will prove resilient in the face of today’s bear market. Either stock seems to offer quality exposure to the cybersecurity theme at valuations that are historically low, but that’s not to say they won’t go even lower. Accumulating slowly using dollar-cost-averaging helps investors avoid market timing risk.
Tech investing is extremely risky. Minimize your risk with our stock research, investment tools, and portfolios, and find out which tech stocks you should avoid. Become a Nanalyze Premium member and find out today!